CyberWire Daily - CyberWire Pro Research Briefing from 11/23/2021
Episode Date: November 27, 2021Enjoy a peek into CyberWire Pro's Research Briefing as the team is off recovering from our Thanksgiving feasts. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerab...ilities, and consequences, as they’re played out in cyberspace. This week's headlines: Iranian threat actors target the IT supply chain. North Korean cyberespionage. More information on Emotet's return. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Here is your CyberWire Research Briefing for Tuesday, November 23, 2021.
Microsoft's Threat Intelligence Center warns of an increase in Iranian actors targeting companies in the IT supply chain, particularly in India.
Quote,
In July 2021, a group that MSTIC tracks as DEV0228 and assesses as based in Iran
compromised a single Israel-based IT company that provides business management software.
IT company that provides business management software. Based on MSTIC's assessment,
DEV0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors of Israel. In September, we detected a separate
Iranian group, DEV0056, compromising email accounts at a partially government-owned organization in the Middle East that provided information and communications technology to defense and transportation sectors, Microsoft adds,
quote,
Microsoft adds, to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian
targeting. Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical
issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients
outside of India, end quote. Proofpoint has published a report on TA406, one of three
threat actors that Proofpoint tracks under the umbrella of the North Korean threat group
KimSuki. The researchers say the group conducts both cyber espionage and financially motivated attacks, including
cryptocurrency theft and sextortion. Proofpoint stated, quote, in early 2021, TA406 began almost
weekly campaigns featuring themes that included nuclear weapon safety, U.S. President Joe Biden,
Korean foreign policy, and other political themes. The group attempted to collect credentials such as Microsoft logins or other corporate credentials from the targeted individuals.
In some cases, the emails were benign in nature.
These messages may have been attempts by the attackers to engage the victims before sending them to a malicious link or attachment.
End quote.
or attachment. End quote. Group IB is tracking a threat actor dubbed Red Curl that's conducting corporate cyber espionage. The threat actor has attacked a Russian wholesale company and two other
unknown companies since the beginning of 2021. The researchers note that the group is stealthy
and focuses solely on data theft rather than ransomware or extortion.
Quote, Group IB has noted that despite a high level of control over the victim's network,
Red Curl does not encrypt infrastructure, withdraw money from accounts, or demand ransoms from stolen data. This most likely indicates that the group monetizes on its attacks in a
different way. The group strives to obtain valuable information as
covertly as possible. Redcurl is mainly interested in the following types of files. Business emails,
staff records, documents relating to various legal entities, court records, and other internal
information. Even after the attack has ended, victims could remain unaware that confidential information has been exfiltrated to Red Curl's servers.
End quote.
Researchers at Advanced Intelligence offer details on the reappearance of the Omatet Trojan and Botnet,
noting that former members of the Ryuk ransomware gang, many of whom are now believed to operate the Conti ransomware,
pushed Emotet's operators to rebuild their infrastructure.
Quote,
Advanced intelligence's visibility into the adversary space
enables us to confirm that it was the former Ryuk members
who were able to convince former Emotet operators
to set up a backend and malware builder
from the existing repository project
to return to business in order
to restore the TrickBot-Immatet-Raiuk triad. This partnership enables the Conti syndicate
to answer the unfulfilled demand for initial accesses on an industrial scale, while competitor
groups such as Lockbit or Hive will need to rely on individual low-quality access brokers.
As a result, Conti can further advance their goal of becoming a ransomware monopolist.
And that's your CyberWire research briefing. We'll see you back here next week.